Organisations – wherever they are based – will soon be subject to fines up to €20 million or four percent of their annual global turnover, whichever is greater if they fail to comply with new data protection laws.
These new penalties arise from the General Data Protection Regulation (GDPR), which comes into force in May 2018. Widely dubbed as the “biggest shake up of data protection laws for 20 years”, the GDPR has an extensive reach.
The UK’s Brexit vote does not mean that UK-based companies are off the hook. The UK Government announced in December 2016 that, despite the uncertainty surrounding Brexit and regardless of the UK leaving the EU, all UK organisations will need to comply with the GDPR requirements.
The penalties for non-compliance should focus management minds. Consider Yahoo, which recently reported a significant data breach. If Yahoo was to suffer the maximum penalty on its €5bn turnover, this would equate to a fine of €200m. Organisations therefore need to get started now on making sure they have policies and procedures in place to mitigate the risk of any regulatory breaches in connection with the data they hold and process.
What’s new?
As well as significant penalties and a wide scope, the GDPR introduces a number of other significant changes that organisations must prepare for. One of the main changes is that data processors as well as data controllers will be captured by the regulation. Therefore, any data controller that outsources the processing of personal data to a third party must consider the implications; if the data processor gets it wrong, your organisation – as the data controller – will still be liable to penalties!
Note too that the new regulation has been designed to provide data subjects – the individuals whose data is being processed – with more power over what information organisations hold on them and how they use it. Under the GDPR, all consent requests sent to data subjects must be easy to understand: that means no detailed legalese or jargon, but written in plain English. Consent must be just as easy to withdraw as it is to provide and data subjects will have the right to be ‘forgotten' – and without delay. Data subjects will also be entitled to ask for a copy of all their data being held and an explanation of what it is used for. The data must be provided in a machine-readable format so that the data subject can transfer it to fellow data controllers as part of a new data portability requirement.
If your organisation is unfortunate enough to experience a data breach, the GDPR requires you to report this to all stakeholders and regulatory authorities within 72 hours of the breach being discovered. There is also a new legal requirement for ‘privacy by design’, which states that data protection should be considered during the design stage of any new system implementation.
It is imperative to note that the Information Commissioners Office (ICO) can audit your business at any time from 25 May 2018, regardless of whether a breach has occurred. The GDPR applies to all functions processing personal data within a company, and policies must be in place for all areas of the business.
Under the GDPR, unless you process large quantities of data on a day-to-day basis or highly sensitive data, there is no longer a requirement to appoint a Data Protection Officer. However, organisations will still need to ensure that internal record-keeping requirements are met.
What should you do now?
Your organisation must not ignore the GDPR. Failure to comply could result not only in a major financial hit, but also potential loss of reputation or even a ban from trading in certain jurisdictions. As mentioned above, you could also be subject to an external review to ensure that your organisation has the necessary internal compliance procedures in place.
Make sure key individuals within your organisation understand the implications of the new regulation, how it will affect your business and what is needed to ensure compliance by the enforcement date in May 2018.
Successful compliance will require you to consider many issues. For example, what data do you currently hold? What procedures are there in place to deal with subject access requests and deletion requests? Are your privacy notices up to date? Are your consents up to date? What processes have you in place to report and investigate data breaches?
Answering such questions and complying with the GDPR is no small job. Your organisation needs to start now to minimise the risk of a regulatory breach and a potentially large financial penalty.
Please get in touch if you would like a free introductory call or follow-up meeting to find out more about the GDPR or how our expert Technology Regulation team can support you.
Christopher BeveridgeEnergy, mining & renewables